Maze Ransomware Group Hacks Two Plastic Surgeons

Published at: May 6, 2020

A cybercrime group recently infected two plastic surgery studios with ransomware. They subsequently leaked patient’s social security numbers and other sensitive information onto the internet.

Emsisoft threat analyst, Brett Callow, told Cointelegraph on May 5 that Maze recently took credit for hacking a plastic surgeon named Kristin Tarbet. They also claim to have hacked the Ashville Plastic Surgery Institute. He explained that in Tarbet’s case, the hackers have already leaked highly sensitive data:

“The data that has been posted included names, addresses, social security numbers as well as what appears to be before and after photos and photos taken during surgical procedures. The Maze group typically start by posting only a small amount of the data that was exfiltrated — it’s the equivalent of a kidnapper sending a pinky finger — so they may well have more data than has already been published.”

Callow explained that many ransomware incidents are caused by basic security failings. These include easy-to-crack credentials or unpatched remote access systems. He said that organizations should focus more on cybersecurity since “Maze uses a combination of strategies in order to gain access to networks including [Remote Desktop Protocol] exploitation, phishing, and spear-phishing.”

When it comes to the ransom requested by the hackers, he said that it cannot be known, but past attacks could serve as a guide:

“Only the criminals and the plastic surgeon will know the amount of the demand. In a previous case, Maze claimed their demand was $2 million: $1 million to decrypt the victim’s data and an additional $1 million to destroy the copy of it.”

More data to be leaked

When it comes to the Ashville Plastic Surgery Institute, the published data includes patient names, dates of birth, insurance details, patients’ implant order forms, before and after photos, and internal documents like income statements. Callow explained:

“This data dump is simply an initial warning shot. Should the company not pay, more data may be published.”

Callow said that this is not the first time the group has attacked two targets in the same industry. He explained that Maze’s victims often reside in the same geographic location or operate in the same industry. Maze claimed that there is a reason behind those instances in a statement:

“We don’t need to use phishing attacks and slowly move from one target to another as we have the access to the hosting provider.”

From encrypting data to stealing it: the evolution of ransomware

In recent months, Ransomware groups have started threatening to leak victim’s sensitive information if they are not paid. There was a time when ransomware groups would only render user data inaccessible and ask for the ransom for restoring access to it. As Cointelegraph reported in late April, a cybercrime group has published personal and financial data from the Californian City of Torrance and threatened to release 200 gigabytes more after the city’s officials denied that any data was stolen.

In mid-April, the first major ransomware group — REvil — also announced that it intends to switch from Bitcoin (BTC) to privacy-centric altcoin Monero (XMR). At the time Callow said:

“Like other businesses, criminal enterprises adopt strategies that have been proven to work and, accordingly, if this switch proves successful for REvil, we’d expect to see other groups begin to experiment with demands in currencies other than bitcoin.”

Tags
Related Posts
Ransomware Gangs Are Teaming Up to Form Cartel-Style Structures
Recent ransomware attacks from well-known cybercriminal groups have been suggesting that gangs are forging cartel-style alliances to pressure their respective victims to pay the ransom requests. Cointelegraph has obtained access to what seems to be a darknet site that belongs to the Maze group. On the site, Maze has been leaking stolen data beginning sometime after Sunday. The central feature to highlight is that the gang notes that Ragnar Locker, another ransomware group, provided the info, as the title of the blog post says: “MAZE CARTEL Provided by Ragnar.” Some of the victims listed are United States-based companies. Speaking with …
Bitcoin / June 9, 2020
Ransomware Hackers Threaten to Release Credit Card Data From Costa Rican Bank
A group of hackers dubbed Maze claims to have compromised the infrastructure of Banco BCR, a Costa Rican state-owned bank, and is now threatening to leak millions of credit card numbers. On April 30, Maze claimed that it has scoped out the bank in August 2019: “According to Financial Institutions Protocol this bank had to notify other institutions about the security breach case. But nothing was made. Servers and workstations were not blocked. Private data was not secured. Anyway the Bank decided to conceal information about the breach. Though the security personnel were able to analyze the attack logs and …
Blockchain / May 6, 2020
Hackers Stole and Encrypted Data of 5 U.S. Law Firms, Demand 2 Crypto Ransoms
Hackers compromised five United States law firms and demanded two 100 Bitcoin (BTC) (over $933,000 at press time) ransoms from each firm: one to restore access to the data, one to delete their copy instead of selling it. According to data shared with Cointelegraph by cybersecurity firm Emsisoft, the hacker group — called Maze — already started publishing part of the data stolen from the aforementioned firms. Two of the five law firms were hacked within the 24 hours leading to Feb. 1. The hackers published the data on two websites that were shared with the author of this article, …
Bitcoin / Feb. 3, 2020
Maze Hacker Group Claims Infecting Insurance Giant Chubb with Ransomware
Black hat hacker group, Maze, claims to have used ransomware to compromise the systems of insurance giant, Chubb. They also claim to have stolen the firm’s data. Brett Callow, threat analyst at cybersecurity firm, Emsisoft, told Cointelegraph on March 27 that Maze published the claim on its website. While the website does not provide any direct proof of the hack so far, Callow pointed out facts that give the claim an air of credibility: “Maze’s past victims include governments, law firms, healthcare providers, manufacturers, medical research companies, healthcare providers and more.” Maze’s modus operandi Callow explained that the group usually …
Bitcoin / March 29, 2020
Riviera Beach City Council Agrees to Pay $600,000 in BTC to Ransomware Attackers
The city council of Riviera Beach, Florida has agreed to pay nearly $600,000 worth of Bitcoin (BTC) to regain access to data encrypted in a hacker attack, the New York Times reported on June 19. On May 29, the city experienced “a data security event” when a police department employee opened an allegedly infected email attachment, which eventually resulted in the online system breakdown. The hackers allegedly encrypted government records, blocking access to critical information and leaving the city without an ability to accept utility payments other than in person or by regular mail. A city spokeswoman, Rose Anne Brown …
Bitcoin / June 20, 2019